Top E-commerce Scams 2025: How to Spot & Prevent Online Shopping Fraud

Introduction

Fake Online Stores and Marketplaces

1. Counterfeit Marketplaces
2. Advance Fee Scams (E-commerce)
3. Fake Auction Sites
4. Formjacking

Shipping and Delivery Fraud

1. Fake Parcel Delivery Notifications
2. Package Intercept Scams
3. Delivery Fee Scams

Other E-commerce Scams

1. Ticketing & Event Fraud

Synthesis Section

1. Overall Trends in E-commerce Scams
2. Comparative Analysis of Scam Types by Risk and Impact
3. Key Takeaways for Stakeholders

FAQs for E-commerce Scams

Introduction

The global e-commerce ecosystem is facing an escalating threat from sophisticated fraudulent activities, with projected losses reaching $48 billion annually in 2025. As digital commerce expands, fraudsters have developed increasingly complex methods to exploit consumers and businesses, ranging from highly professional fake online stores to advanced shipping frauds. The findings reveal that phishing attacks affect 43% of merchants globally, and account takeover fraud is a top concern for 21% of businesses. E-shop scams alone rose by an alarming 790% in the first quarter of 2025 compared to the same period in 2024, underscoring the severity of the challenge. Emerging threats, including AI-powered deepfake technology and synthetic identity fraud, represent the next frontier in this ongoing battle.

Fake Online Stores and Marketplaces

1. Counterfeit Marketplaces

Fake online stores and marketplaces are digitally sophisticated storefronts designed to deceive consumers into believing they are legitimate businesses. These fraudulent operations lure victims by offering products at attractively low prices, subsequently delivering counterfeit goods, inferior quality products, or nothing at all after payment is received. The scams have evolved dramatically from simple fraudulent listings on legitimate platforms in the early 2000s to today’s sophisticated independent storefronts that mimic genuine retailers using professional web design, fake reviews, and stolen product images. The global prevalence of this scam type is substantial, with e-commerce fraud losses projected to reach $91 billion by 2028. Counterfeit marketplaces are a key component of broader e-commerce fraud, with worldwide losses estimated at around $44 billion in 2024.

Counterfeit marketplaces are defined as fraudulent online platforms or sellers that offer imitation, substandard, or entirely fictional products, often mimicking legitimate brands. Reports indicate that 84% of people targeted by a fake shopping website engaged with it, and 47% of all targets lost money.

How It Works (Step-by-Step Mechanism)

Scammers utilize technical methods and sophisticated infrastructure to establish and operate counterfeit marketplaces.

Website Creation: Fraudsters use readily available e-commerce platforms such as Shopify, WooCommerce, or Magento to quickly create professional-looking storefronts. They often use stolen templates and product images from legitimate businesses, and these sites typically include fake “About Us” sections, contact information, and social proof elements to appear genuine. Many counterfeit operations use cheap templates or cloning tools like HTTrack to copy real websites, misusing legitimate software to grab logos, photos, and fake trust badges. Sophisticated operators engage in typosquatting (using minor misspellings or adding hyphens) or purchase expired domains that once belonged to legitimate businesses.

Traffic Generation: Fraudsters drive potential victims to these fake storefronts through aggressive tactics:

• Social Media Advertising: Heavy utilization of platforms like Facebook, Instagram, and TikTok, where limited oversight enables rapid victim acquisition.
• Search Engine Optimization (SEO): Techniques targeting popular products or using SEO poisoning by flooding the internet with shady blog posts and fake news articles linking back to scam stores.
• Spam Campaigns: Email campaigns and creating fraudulent social media accounts that pose as legitimate brands or satisfied customers.

Payment Processing: To avoid detection and maximize profit, these operations typically request direct bank transfers or payments through irreversible methods rather than secure payment gateways that offer buyer protection. They may initially use legitimate payment processors but quickly disappear before complaints accumulate.

Emerging Tactics:

• Brand Impersonation: Creating near-perfect replicas of established retail websites, often using similar domain extensions (e.g., .net instead of .com).
• Triangulation Fraud: Fraudsters set up fake storefronts, take orders using stolen credit card information, then have legitimate merchants fulfill purchases, creating a complex chain that obscures the original fraudster.
• Trust Building: Fraudsters use AI tools to auto-generate fake reviews, hijack old product listings on marketplaces, and create deepfake-style customer videos to build confidence. 

Store Type	Primary Method	Consumer Impact	Detection Difficulty
Counterfeit Store	Sells fake versions of branded products	Receipt of inferior/substandard goods	Medium – Discovered upon product receipt
Non-Delivery Store	Accepts payments but never ships	Complete financial loss	High – Only discovered after payment
Triangulation Store	Uses stolen payment data for fulfillment	Potential legal complications	Very High – Can appear legitimate

Real-World Examples and Case Studies (2020-2025)

1. Southeast Asian Luxury Goods Scam (2024): A sophisticated fake marketplace operation targeted consumers in Southeast Asia, resulting in losses exceeding $2.3 million. The scammers created multiple fake luxury goods stores and used stolen social media influencer content to build credibility. Victims received either counterfeit products or nothing at all. The operation was traced to a criminal group using shell companies in multiple jurisdictions, leading to arrests in Malaysia and Singapore.
2. United States Fake COVID-19 Supplies Marketplace (2023): A network of fake online stores selling counterfeit rapid test kits and personal protective equipment defrauded over 2,500 Americans of approximately $1.8 million. The stores used professional designs mimicking legitimate medical supply companies and ran targeted Facebook ads. Six individuals connected to the operation were indicted by the U.S. Department of Justice.
3. The Phish ‘n’ Ships Campaign (2024): This fully automated scheme hijacked over 1,000 websites to redirect shoppers to more than 200 fake online stores operating in Dutch, English, French, and German. The purpose was to steal payment card details without delivering goods, with bots executing every stage of the campaign. Estimated losses exceeded $15 million before disruption.
4. HOKA Shoe Scam Wave (2021-2024): The BBB received nearly 490 reports concerning scams involving the popular HOKA One One shoe brand. Fraudsters imitated real sporting goods stores, primarily originating on social media. One victim who purchased three pairs for $99 via a Facebook ad received a legitimate-looking tracking number but never received the package or a refund after 12 weeks.
5. Walmart Marketplace Investigation (2024): CNBC investigated Walmart Marketplace, uncovering dozens of third-party sellers impersonating brands and selling counterfeit health products, posing potential dangers. A case study in 2024 detailed seizures of counterfeit toys by U.S. Customs, including fake children’s car seats that posed safety risks, linked to an operation shipping via Pandabuy.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Pricing Anomalies: Prices are significantly lower (30-70%) than established retailers for the same products, or 30-90% discounts on popular items.
2. Payment Method Limitations: Sellers insist on direct bank transfers, cryptocurrency, wire transfers, or gift cards instead of secure methods.
3. Contact Information Issues: Only email contact forms or mobile numbers are provided, with no physical address or customer service phone line.
4. Urgency Creation: Claims of limited-time offers, countdown timers, or limited stock to pressure quick decisions.
5. Poor Website Quality: Spelling errors, grammatical mistakes, low-resolution images, or non-functional links.
6. Missing Security Indicators: Absence of “https://” in the URL or security trust seals.
7. Unrealistic Return Policies: Overly generous or completely absent return policies.
8. Domain Registration Issues: Domains were recently registered (within the last 6 months) for supposedly established businesses.
9. Lack of Reviews: No independent reviews or exclusively positive reviews with similar phrasing.
10. Domain Irregularities: Misspelled URLs, extra hyphens, or unusual Top-Level Domains (TLDs) like .top or .xyz.
11. PayPal Friends & Family Requests: Sellers specifically request payment using this option, which removes buyer protection mechanisms.
12. Copied Content: Product descriptions are identical to those found on legitimate retailer sites.

Business Warning Signs:

1. Unusual Traffic Patterns: Sudden spikes from unexpected geographic locations.
2. High Cart Abandonment Rates: Significantly above industry averages.
3. Multiple Failed Payment Attempts: From similar IP addresses or devices (often related to card testing).
4. Address Verification Mismatches: Differences between billing and shipping information.
5. Unusual Order Characteristics: Multiple orders of high-value items shipped to the same address.
6. Bot Activity: High bounce rates, short session durations, and repetitive behavior patterns.
7. VPN/Proxy Usage: A high percentage of traffic originates from known VPN exit nodes.
8. Suspicious Email Domains: Use of temporary email services or recently created accounts.
9. Behavioral Anomalies: Checkout completion occurs without browsing the site or cart additions.
10. Repeated Chargebacks: Frequent disputes or complaints about product quality.

Impact and Statistics

Financial Impact:

• Global fraud losses: E-commerce companies lose an estimated $48 billion annually to fraud.
• Hidden costs: Every $100 in fraudulent orders actually costs businesses approximately $207 when accounting for shipping, restocking, and customer support expenses.
• Projected growth: Losses from online payment fraud are projected to reach $206 billion globally by 2025 and climb to $107 billion by 2029.
• Regional concentration: 42% of global e-commerce fraud occurs in North America, followed by Europe at 26%.
• U.S. Specific: Online shopping issues were the second most commonly reported fraud category to the FTC in 2024, with nearly $400 million in losses reported in 2023.
• Per-Victim Losses: BBB Scam Tracker data shows median losses of $78 in 2024, with over 80% of consumers reporting monetary losses.

Consumer Impact:

• Victim statistics: Approximately 43% of e-commerce consumers have experienced payment fraud.
• High-risk categories: Luxury goods and collectibles have seen an over 100% rise in fraudulent activity.
• Singapore case study: E-commerce scams accounted for at least S$17.5 million in losses in 2024.
• Psychological effects: Fraud results in eroded trust, leading to 30% of consumers avoiding online shopping. 

Region	Annual Fraud Losses (2025 Projections)	Year-over-Year Growth	Primary Fraud Types
North America	$20.2 billion	18%	Fake stores, account takeover
Europe	$12.5 billion	14%	Phishing, counterfeit goods
Asia-Pacific	$9.8 billion	22%	Mobile payment fraud, fake stores
Latin America	$4.1 billion	27%	Triangular fraud, chargebacks

Source for regional projections is the comprehensive report data.

Perpetrators and Motivations

Perpetrator Profiles:

1. Organized Crime Groups: These are sophisticated networks, often operating across international borders, that treat e-commerce fraud as a business enterprise. They employ technical specialists for website development and money mules for payment processing, simultaneously running multiple fake storefronts. Organized syndicates in China and Eastern Europe are common, motivated by high profits from stolen data and goods.
2. Individual Entrepreneurs: These are lone actors or small groups leveraging easily accessible e-commerce tools. They often follow online tutorials or purchase fraud-as-a-service kits from dark web marketplaces.
3. Insider Threats: Employees with technical knowledge who exploit system vulnerabilities or sell access to external fraudsters.
4. Dropshipping Gone Wrong: Businesses that start legitimately but transition to fraud when they cannot fulfill orders, keep payments and disappear.

Profit Models:

1. Direct Profit: Immediate revenue from sales of non-existent or counterfeit goods, with typical victim losses ranging from $50 to $500 per transaction.
2. Data Harvesting: Collection and resale of personal and payment information on dark web marketplaces. Complete identity profiles sell for $30-$100 depending on completeness.
3. Compound Fraud: Using stolen payment information for other fraudulent schemes, creating multiple revenue streams.
4. Counterfeit Goods: Low-cost manufacturing ($2-5) sold at premium prices ($50-100), yielding profit margins of 90%+.

Legal and Regulatory Aspects

Relevant Laws and Enforcement:

• Wire Fraud Statutes: In the United States, the federal wire fraud statute (18 U.S.C. § 1343) provides penalties of up to 20 years imprisonment for schemes using electronic communications.
• INFORM Consumers Act (U.S.): Implemented in 2023, this regulation requires online marketplaces to verify third-party seller information and provide consumers with contact details for high-volume sellers.
• General Data Protection Regulation (GDPR) (EU): European regulations impose strict data protection requirements and significant fines (up to 4% of global revenue) for companies that fail to adequately protect consumer data.
• Payment Card Industry Data Security Standard (PCI DSS): Global standards mandating security measures for processing payment cards, with updated requirements in 2025 addressing emerging threats.
• Digital Services Act (DSA) (EU): Enhanced platform accountability for illegal content, implemented in 2024.

Enforcement Challenges:

• Jurisdictional Issues: Fake stores often operate across international borders, creating complex jurisdictional challenges for law enforcement.
• Rapid Adaptation: Fraudsters quickly modify operations in response to enforcement, with average storefront lifetimes of 45-90 days before disappearing.
• Resource Limitations: Law enforcement agencies often lack specialized digital commerce investigation units and resources to combat the massive scale of these crimes.
• Cryptocurrency Complications: Digital assets are difficult to trace and seize.

Prevention and Mitigation Strategies

Consumer Protection Strategies:

• Verification Practices: Use reverse image searches on product photos to identify stolen images, check domain registration dates using WHOIS lookup tools, and search for independent reviews across multiple platforms. Verify business addresses through mapping services.
• Transaction Security: Use credit cards instead of debit cards for additional protection, and utilize secure payment platforms (PayPal, Stripe) rather than direct transfers. Enable two-factor authentication on shopping accounts and monitor bank statements regularly.
• Technical Protections: Install reputable antivirus and anti-malware software, use browser extensions that flag known fraudulent sites, and avoid making purchases on public WiFi networks. Use tools like Have I Been Pwned to check for compromised credentials.

Business Protection Strategies:

• Fraud Detection Systems: Implement AI-powered fraud detection that analyzes transaction patterns. Use Address Verification Systems (AVS) and Card Verification Codes. Deploy device fingerprinting and monitor for site impersonation through brand protection services. Tools like Sift, Riskified, Signifyd, and Forter are used for automated fraud detection and chargeback guarantees.
• Operational Security: Regularly update e-commerce platforms and plugins. Conduct employee training on recognizing fraudulent activities, and maintain PCI DSS compliance.
• Platform-Level Protections: Require mandatory identity verification (KYC) for sellers, use AI to detect stolen product listings, and implement machine learning for anomaly detection.

Future Trends and Emerging Threats

1. AI-Enhanced Fraud: Artificial intelligence is weaponized to create more convincing fake stores, generate realistic product images, and produce deepfake customer reviews using stolen video content. Between 2022-2023, deepfake-related fraud in the Asia-Pacific region rose by 1,540%, indicating rapid criminal adoption.
2. Mobile-First Threats: Since 43% of all e-commerce sales occur via mobile devices, fraudsters are developing sophisticated mobile-specific threats, including fake shopping apps distributed through official app stores and SMS phishing (smishing) campaigns.
3. Synthetic Identities: Criminals blend real and fake information to bypass identity verification, using fabricated identities to create seemingly legitimate seller accounts and make fraudulent purchases.
4. Metaverse Shopping Scams: Future threats include fake virtual storefronts in platforms like Decentraland, NFT counterfeit goods, and virtual real estate scams.
5. Quantum Computing Preparedness: Development of quantum-resistant encryption standards is needed to protect against future decryption capabilities.

Data Gaps and Verification Suggestions: Specific, quantitative data detailing the financial loss attributable only to counterfeit marketplaces (excluding other fake store types like non-delivery) is often bundled within broader e-commerce fraud reports, making precise measurement difficult. Verification should focus on standardized fraud classification across regions and enhanced platform reporting mechanisms for counterfeit listings.

2. Advance Fee Scams (E-commerce)

Advance fee e-commerce scams involve fraudulent sellers demanding full or partial payment upfront before delivering goods, which are subsequently either never shipped, significantly delayed, or differ substantially from the advertised products. This tactic exploits the fundamental e-commerce structure where payment precedes delivery. The scam has historical roots in traditional advance-fee fraud (e.g., Nigerian “419” scams) but has evolved into sophisticated e-commerce operations often masquerading as legitimate pre-orders or custom-order businesses requiring deposits in 2025. This scam is prevalent, affecting 43% of e-commerce consumers.

How It Works (Step-by-Step Mechanism)

Phase 1: Legitimacy Establishment Scammers create professional-looking websites with shopping carts and payment gateways. They offer pre-orders for high-demand products (like gaming consoles) or advertise custom or made-to-order products requiring deposits. They utilize social proof through fake reviews and testimonials to appear credible. Scammers post attractive ads on social media, often utilizing bots for mass advertisement campaigns and VPNs to hide their location.

Phase 2: Payment Collection The operations typically demand 100% upfront payment or require non-refundable deposits (often 30-50% of the purchase price). Victims are required to pay through non-reversible payment methods:

• Wire transfers (Western Union, MoneyGram).
• Cryptocurrency (Bitcoin, Ethereum).
• Gift cards (iTunes, Amazon, prepaid cards).
• Payment app “friends and family” options, which remove buyer protections.

Phase 3: Delay and Deception After payment, scammers may provide fake tracking numbers or link to non-existent parcels. They string victims along by citing “supply chain issues,” “customs delays,” or “inventory problems” to prevent immediate reporting. Victims may even be asked for additional fees for “shipping” or “customs”.

Phase 4: Exit Strategy Scammers eventually cease communication, block contact attempts, shut down the website and social media accounts, and rotate to new domains and identities.

Real-World Examples and Case Studies

1. PayPal Friends & Family Honeybee Scam (2024): A case involved Dylan from Richmond, Indiana, who encountered a business in a Facebook beekeeping group claiming to sell honeybees. He was instructed to pay through PayPal using the “friends and family” option, which removed buyer protections. He received a fake tracking number but never the product.
2. Pre-Order Gaming Console Scam (2023-2024): During shortages of major gaming consoles, numerous websites advertised guaranteed pre-orders requiring full payment. Investigation revealed an average loss per victim of $600–$800, with estimated total victims exceeding 15,000 across North America. Websites disappeared after collecting approximately $10 million.
3. Custom Furniture Deposit Scam (2024): An Instagram-based operation advertised custom handmade furniture, requiring 50% deposits ($500–$2,000) for “materials”. The scammers provided progress photos stolen from legitimate craftspeople and repeatedly extended delivery timelines. After blocking customers, the operation closed but reopened under a different business name within weeks, resulting in $150,000+ total losses.
4. Duplicate Payments Scams (2023): A PwC report mentioned duplicate payments scams that defrauded merchants, including one U.S. case that resulted in a $100,000 loss.
5. Gift Card Demands (2019): An FTC case involved advance fee scams demanding payment via gift cards, leading to arrests in India.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Payment Method Insistence: Insistence on wire transfers, cryptocurrency, gift cards, or “Friends & Family” payments.
2. Upfront Fees: Requests for upfront fees beyond standard purchase costs.
3. Pressure Tactics: Pressure to pay quickly to “secure limited inventory” or time-sensitive deals.
4. No Escrow Service: Unwillingness to use secure payment methods or escrow services.
5. Vague Details: Vague product details or evasive responses about shipping and delivery.
6. No Refund Policy: The absence of a refund policy or impossibly restrictive refund terms.
7. High Deposits: Requiring 100% payment for pre-orders or custom items, or deposits exceeding 10-20%.
8. Communication Quality: Poor grammar and spelling in business communications.
9. Foreign Seller Claims: A foreign seller claiming local inventory or expedited local shipping.
10. Fake Tracking: Provision of fake tracking numbers.
11. Switching Channels: Reluctance to provide order confirmation or switching communication channels (e.g., email to WhatsApp/Telegram).

Business Warning Signs:

1. High-Value Orders: High-value orders originating from new IP addresses.
2. Mismatched Payment Details: Payment details do not align with billing or shipping information.
3. Repeated Fee Escalations: Requests for multiple subsequent “fees” after the initial payment.

Impact and Statistics

• Global Losses: Advance fee scams contribute significantly to the $48 billion in global annual fraud losses.
• U.S. Losses: Part of the $12.5 billion in consumer-reported losses to the FTC in 2024.
• Victim Financial Loss: 71.6% of victims experience financial loss.
• Average Loss: Average loss per advance-fee incident ranges from $200 to $1,500.
• Recovery Rate: Recovery rate is exceptionally low, typically <5%, due to the use of irreversible payment methods.
• Psychological Effects: Victims report anxiety and erosion of trust. 

Year	Global Losses ($B)	U.S. Victims
2020	20	1M
2021	25	1.2M
2022	41	1.5M
2023	43	2M
2024	44	2.5M

Perpetrators and Motivations

The primary perpetrators include lone actors in Nigeria and sophisticated syndicates in Africa and Asia. These operations often focus on quick cash profit and data resale. Trends indicate the use of AI for victim profiling to increase the personalization and effectiveness of the scam messages.

Legal and Regulatory Aspects

These scams are covered by general fraud laws:

• U.S. Legislation: The Advance Fee Fraud Act is relevant in the U.S., alongside the federal Wire Fraud Statute (18 U.S.C. § 1343).
• EU Legislation: The Consumer Rights Directive applies in the European Union.
• Challenges: Cross-border jurisdictional complexity remains a significant hurdle. Policy updates for 2025 require platforms to enhance payment verification measures.

Prevention and Mitigation Strategies

For Consumers:

• Payment Safety: Never use irreversible payment methods (wire, crypto, gift cards). Use escrow services for high-value purchases.
• Due Diligence: Research sellers thoroughly before making deposits.
• Documentation: Screenshot and document all communications, emails, and receipts.
• Credit Card Use: Dispute charges using credit card protections where possible.

For Businesses:

• Verification: Implement comprehensive seller verification processes.
• Fraud Tools: Utilize fraud detection systems like Riskified.
• Platform Controls: Implement escrow systems and restrict high-risk payment methods for new sellers.

Future Trends and Emerging Threats

Future threats include the deployment of AI chatbots for sophisticated persuasion tactics. The evolution of e-commerce into digital environments may also lead to metaverse fees as a new form of advance payment demand. Recommended research focuses on behavioral analytics to predict susceptibility to these scams.

3. Fake Auction Sites

Fake auction sites involve the use of fraudulent online auction platforms or manipulated auctions on legitimate sites where bidding processes are rigged, winning bidders never receive goods, or items are heavily misrepresented. This scam exploits the competitive nature of auctions and the perceived value of obtaining a deal. The phenomenon has evolved from early 2000s eBay frauds to sophisticated, AI-manipulated platforms in 2025. Auction fraud is particularly challenging because it often appears legitimate on the surface. This type of fraud is part of the broader $16.6 billion internet crime losses reported.

How It Works (Step-by-Step Mechanism)

Fake Auction Platform Operations:

1. Platform Creation: Scammers clone legitimate auction site designs (e.g., eBay, Sotheby’s) and register domains with minor spelling variations. They implement seemingly functional bidding systems and populate the sites with stolen product images.
2. Traffic Generation: Traffic is generated through email campaigns targeting collectors, social media advertising for “exclusive estate sales,” and SEO for high-value items (art, jewelry).
3. Auction Manipulation: Fraudsters engage in Shill Bidding, using fake accounts to artificially drive up prices. They may also use Phantom Bidders to create urgency or employ last-minute manipulation to prevent legitimate final bids.
4. Payment Collection: Winners are instructed to pay immediately via wire transfer or cryptocurrency only to “secure the item”. The platform then goes offline after collecting payments.

Legitimate Platform Manipulation:

• Shill Bidding: Using accomplice accounts to inflate prices.
• Bid Shielding: An accomplice places an extremely high bid, retracts it at the last moment, leaving a shill’s lower bid as the winner.
• Bid Siphoning: Contacting bidders off-platform with “second chance” offers at lower prices.
• Fee Stacking: Adding unexpected fees after the auction concludes, such as inflated shipping costs or “handling charges”.

Real-World Examples and Case Studies

1. European Fake Auction Site (2023): A sophisticated fake auction site targeting European collectors defrauded victims of approximately €850,000. The site offered rare collectibles and luxury items and implemented a complex bidding system rigged to favor the operators through fake bidder accounts. Cryptocurrency payments were used to obscure transaction trails.
2. Luxury Watch Auction Scam (2023): A fake auction platform mimicking Christie’s watch auctions listed rare timepieces using stolen images. The platform collected $2.3 million from 47 victims across 8 countries before shutting down. Average loss per victim was high: $48,936.
3. eBay Shill Bidding Ring (2024): A network of 15 coordinated accounts manipulated comic book auctions for 18 months, artificially inflating rare comic book prices by 40–200%. Estimated total victim losses exceeded $500,000.
4. Art Auction Investment Scam (2024): This operation targeted high-net-worth individuals with an “exclusive” invitation-only platform featuring AI-generated contemporary art. Thirty-four victims invested a total of $4.7 million through cryptocurrency payments before the platform dissolved.
5. Trade Me Auction Site (2024): The platform paid $70,000 to victims of counterfeit schemes, with scammers profiled as organized groups from Nigeria.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Shill Bidding: Bidding patterns show increments occurring simultaneously, or accounts only bidding on specific seller’s items.
2. Fake Accounts: The presence of fake user accounts or winning bidders never leaving feedback.
3. No Verification: Lack of verification mechanisms for bidders or sellers.
4. Urgent Closes: Pressure due to urgent bid closes.
5. Poor Site Security: Websites lack security features or the padlock icon.
6. Off-Site Payments: Demands for off-site communication or payments for “better deals”.
7. Vague Terms: Vague or inconsistent terms and conditions.
8. Foreign Domain: Foreign domain registrations for a supposedly local business.
9. Stock Photos: Listings use stock photos instead of actual item photos.
10. Seller History: Seller account is recently created or has inconsistent feedback history.

Business Warning Signs:

1. Bot Traffic: Traffic spikes originating from known bot networks.
2. Anomalous Bid Histories: Bid histories showing suspicious or cyclical patterns.
3. Winner Complaints: Repeated complaints from winners about non-delivery or item discrepancies.

Impact and Statistics

• U.S. Losses: Auction fraud contributes to the $309.6 million in U.S. non-delivery losses.
• Global Estimates: Estimated annual losses are $300–$500 million globally (2024).
• Average Loss: The average loss per incident is high, at $3,200, significantly higher than typical e-commerce fraud.
• Specific Categories: Art and collectible fraud accounts for $150 million annually, and electronics auction fraud for $100 million annually.
• Victim Demographics: Most affected demographics are males aged 45–65, collectors, and investors. 

Type	Losses ($M)	Victims
Auction Fraud (Est.)	100	0.5M

Note: Specific auction-only statistics are not separately published by FTC, often bundled with online shopping/negative review categories.

Perpetrators and Motivations

Perpetrators include syndicates in Chile and India, motivated by profit from bid inflation and the resale of luxury goods or collectibles. Emerging trends show the use of AI bidding bots to optimize manipulation and avoid detection. Large-scale operations often involve organized professional fraud rings with specialized roles.

Legal and Regulatory Aspects

• U.S. Laws: Auction Fraud laws are specifically applicable. Wire fraud charges (18 U.S.C. § 1343) apply to these electronic schemes.
• EU Laws: The Unfair Commercial Practices directive is relevant.
• Policy Updates (2025): There is anticipation for enhanced bot bans and regulatory requirements. The UETA (Uniform Electronic Transactions Act) provides a legal framework for electronic auctions.
• Challenges: Platforms face legal complexities regarding liability, though many are investing heavily (e.g., eBay invested over $200 million in 2023) to combat fraud.

Prevention and Mitigation Strategies

For Consumers:

• Platform Use: Use only established auction sites and verify platform authenticity by manually typing the URL.
• Due Diligence: Research sellers thoroughly (feedback, account age), request additional photos/videos, and verify item authenticity through third-party experts.
• Payment: Use platform-integrated payment systems only and rely on credit cards for protection.
• Bidding: Monitor bidding patterns for suspicious activity and set maximum bid limits.

For Platforms:

• Verification: Require identity verification (KYC) for all sellers and link accounts to verified payment methods.
• Monitoring: Implement AI-powered detection of shill bidding patterns and monitor bid retraction patterns.
• Security: Offer escrow services for high-value items and provide robust dispute resolution.

Future Trends and Emerging Threats

Future trends include the development of quantum-secure auctions and a rise in NFT fraud.

Data Gaps and Verification Suggestions: Specific, current FTC data on the portion of internet crime losses attributable solely to fake auction sites remains aggregated within broader categories. Verification efforts should focus on standardized reporting requirements for large auction platforms to segment fraud types accurately.

4. Formjacking

Formjacking, also known as web skimming or digital card skimming, involves cybercriminals injecting malicious JavaScript code into legitimate e-commerce websites to intercept and steal payment card details and personal information as customers enter them during checkout. This sophisticated attack method targets the client side of the transaction and emerged around 2017 with the rise of the Magecart threat actor groups. Formjacking has become a highly concerning digital threat targeting the $5+ trillion global e-commerce industry. Symantec reported that formjacking attacks affect approximately 4,800 websites monthly.

How It Works (Step-by-Step Mechanism)

Phase 1: Initial Compromise Attackers gain access to e-commerce infrastructure through multiple vectors:

• Third-Party Supply Chain Attacks (Magecart style): Exploiting third-party connections, such as compromised scripts from analytics platforms, chat widgets (LiveChat, Intercom), payment processors, CDNs, or tag management systems (Google Tag Manager). A major 2024 campaign exploited vulnerability CVE-2024-34102, nicknamed CosmicSting, to compromise Magento plug-ins.
• Direct Website Compromise: Exploiting unpatched Content Management System (CMS) vulnerabilities (WooCommerce, Magento, Shopify apps).
• Credential Theft: Brute-force attacks on admin credentials or social engineering of developers.

Phase 2: Skimmer Injection and Interception The malicious JavaScript code is injected, often heavily obfuscated (using Base64, Hexadecimal encoding, or polymorphic code) to bypass security controls.

• Injection Locations: JavaScript files loaded on checkout pages, payment form HTML, or compromised third-party script tags.
• Data Capture: The skimmer operates invisibly, using keylogger functionality to capture keystrokes, copy-paste actions, and autofill data. It hooks into form submission events, capturing data before legitimate payment processing.

Phase 3: Data Exfiltration Stolen data is transmitted to attacker-controlled domains (often rotated frequently) via:

• Remote Servers: HTTP POST requests, with data often encoded/encrypted.
• Legitimate Services Abuse: Using services like Google Forms, Pastebin, or cloud storage to hide exfiltration.
• Covert Channels: Techniques like DNS tunneling or image steganography.

Phase 4: Monetization Stolen payment card data is monetized through sales on dark web marketplaces ($5–$100 per card) or used for direct Card-Not-Present (CNP) fraud.

Real-World Examples and Case Studies

1. British Airways Breach (2018): Although slightly predating the 2020-2025 window, it is the most notorious case: 380,000 payment cards were compromised over 15 days. The malicious script was loaded from an attacker-controlled domain (baways.com) mimicking the legitimate site. The breach resulted in a £20 million GDPR fine.
2. WooCommerce Formjacking Campaign (May 2025): The Wordfence Threat Intelligence team discovered new formjacking malware specifically targeting WooCommerce-based sites. This campaign was unique because it injected entire fake payment forms rather than just intercepting data. It affected over 500 small-to-medium stores, compromising an estimated 15,000–20,000 cards.
3. CosmicSting Magento Campaign (2024): A major campaign exploited vulnerability CVE-2024-34102 to compromise Magento plug-ins and inject skimmers across hundreds of online stores. The vulnerability had a CVSS 9.8 (Critical) severity, affecting over 800 confirmed sites and potentially 2,000+ total.
4. WordPress E-commerce Backdoor (March 2025): A multi-stage attack installed both a skimmer and a persistent backdoor on a single high-traffic WordPress/WooCommerce store. The operation was active for 8 months before detection and compromised an estimated 5,000–8,000 cards.
5. Google Tag Manager Abuse (2024): Attackers compromised GTM account credentials and injected a skimmer via a GTM tag, affecting 200+ sites using the compromised container.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs (Highly Challenging to Detect):

1. Slow Loading Forms: Unusual delays or stuttering on checkout pages.
2. Unexpected Redirects: Unusual behavior or redirects after payment processing.
3. No HTTPS: (While rare in modern formjacking, still a sign).
4. Fraudulent Charges: Unauthorized transactions appearing 1–7 days after the legitimate online purchase.

Merchant/Technical Warning Signs (More than 10):

1. Code Anomalies: Unexpected JavaScript files on checkout pages.
2. Obfuscated Code: Presence of heavily obfuscated or minified code without documentation.
3. External Scripts: External scripts loading from unfamiliar or unauthorized domains.
4. Network Traffic: Unexpected outbound connections or data transmission during checkout.
5. DNS Queries: DNS queries for suspicious, unknown domains.
6. File System Changes: Modified timestamps on core files or new files in plugin/extension directories.
7. Customer Complaints: A sudden surge in chargeback requests or fraud complaints.
8. Performance Degradation: Increased page load times on checkout pages.
9. WAF/CSP Violations: Alerts from Web Application Firewalls (WAF) or Content Security Policy (CSP) violations.
10. High Abandonment Rates: Significantly high cart abandonment rates.
11. Repeated Card Declines: Repeated card decline messages post-purchase.

Impact and Statistics

• Global Annual Losses: Estimated at $1–$3 billion (2024 estimate).
• Cost Per Breach: Average cost per breached card is $150–$200, including replacement costs, investigation, and chargeback fees ($25–$100 per chargeback).
• Detection Time: Attacks often go undetected for an average of 197 days from infection to discovery.
• Compliance Fines: Non-compliance with PCI DSS can result in fines of $5,000–$100,000 per month.
• Industry Impact: E-commerce retail sites are the primary targets (45%), followed by financial services (23%) and hospitality/travel (18%).
• Consumer Trust: 67% of breach victims avoid the affected merchant in the future.

Perpetrators and Motivations

Threat Actor Categorization:

1. Magecart Groups: At least 12 distinct Magecart groups are identified, specializing in web skimming attacks. Group 1 is highly sophisticated, focusing on high-value targets, while Group 4 conducts mass, indiscriminate infections.
2. Organized Cybercrime: Syndicates from Eastern Europe (Russia, Ukraine, Bulgaria) provide technical expertise, while West African groups handle money laundering, and Southeast Asian operations execute card fraud.
3. Insider Threats: Estimated to be involved in 5–10% of incidents, often involving disgruntled developers or compromised contractor accounts.

Profit Models: The primary motivation is Card Resale on dark web marketplaces (e.g., Brian’s Club, Yale Lodge). Pricing ($5–$100 per card) is tiered based on card limit, bank issuer, and availability of CVV/cardholder details. Secondary motives include Direct Fraud (gift card purchases, digital goods) and leveraging initial access for a Ransomware Pivot.

Legal and Regulatory Aspects

• Criminal Penalties: Formjacking involves multiple federal crimes including computer fraud and abuse, wire fraud, identity theft, and money laundering, carrying penalties of up to 20 years in prison.
• PCI DSS Compliance: Formjacking directly violates PCI DSS Requirements 6 and 11. PCI DSS v4.0 (2025) specifically mandates organizations manage payment page scripts and deploy change detection mechanisms.
• GDPR: Attacks can result in massive fines, up to 4% of annual global turnover or €20 million.
• Civil Liability: Merchants face class-action lawsuits from affected customers.

Prevention and Mitigation Strategies

For Merchants (Technical Focus):

1. Client-Side Security: Implement Content Security Policy (CSP) headers and Subresource Integrity (SRI) checks to restrict unauthorized script execution.
2. Monitoring Solutions: Deploy client-side security monitoring (e.g., DataDome, F5) and use File Integrity Monitoring (FIM) to detect unauthorized changes.
3. Verification: Utilize 3D Secure 2.0 and Behavioral Biometrics (BioCatch) for continuous authentication.
4. Audits: Conduct regular security audits of all third-party scripts and maintain PCI-compliant hosts.

For Consumers:

• Payment Tokenization: Use virtual credit card numbers and digital wallets that tokenize payment information.
• Monitoring: Monitor bank statements regularly and enable transaction alerts.
• Card Choice: Use credit cards rather than debit cards for better protection.

Future Trends and Emerging Threats

Future threats include:

1. AI-Evading Injections: Use of AI to create code injections that bypass current detection systems.
2. Quantum Decryption: Quantum computing risks threatening current encryption standards (RSA, ECC).
3. Generative AI Sophistication: AI will create more convincing deepfake video testimonials and AI-generated product images.
4. Platform Liability Expansion: Potential Section 230 reforms in the U.S. could increase marketplace accountability for these attacks.

Shipping and Delivery Fraud

1. Fake Parcel Delivery Notifications

Fake parcel delivery notification scams are a sophisticated form of social engineering, primarily delivered through SMS (smishing), that exploits consumers’ anticipation of legitimate package deliveries. Scammers impersonate major shipping companies (UPS, FedEx, DHL) and postal services to trick recipients into revealing personal information or making fraudulent payments. This is one of the fastest-growing fraud types. The FTC reports that fake package delivery problems were the most commonly reported type of text scam in 2024, with consumers losing $470 million to text-based scams overall—a 26% increase from 2023.

How It Works (Step-by-Step Mechanism)

Initial Contact and Social Engineering: Consumers receive unsolicited SMS messages, emails, or app notifications claiming to be from postal services or carriers. These messages often reference a tracking number and claim delivery issues. The messages create urgency by suggesting packages will be returned to sender or destroyed if immediate action isn’t taken, prompting victims to bypass skepticism.

Information Harvesting: Links in these messages lead to sophisticated phishing websites that mimic legitimate carrier sites. Victims are prompted to enter personal information, payment details, or login credentials under the guise of “verifying identity” or “paying outstanding fees”. The smishing campaigns typically achieve high engagement rates, with 15–25% click-through rates.

Deployment: Scammers use tools like bots for mass text deployment and spoofed numbers to appear legitimate. Advanced campaigns may use number spoofing to appear in existing message threads with legitimate carriers.

Real-World Examples and Case Studies

1. Southeast Asian SMS Delivery Scam (2024): A coordinated smishing campaign across Malaysia and Singapore impersonated national postal services. It utilized number spoofing and led to links to fake tracking pages that harvested banking credentials. Authorities estimated over 5,000 victims lost approximately $2.1 million collectively.
2. UK Finance Parcel Scams (2025): Fake parcel delivery texts were identified as the top smishing scam in the UK, with millions lost.
3. India Post SMS Scam Network (2024): A massive operation targeted Indian consumers, claiming packages were intercepted with illegal items or awaiting delivery. The network used voice calls from callers posing as customs officials and directed victims to fraudulent websites, leading to losses of ₹50,000 for one victim.
4. UPS Impersonation Campaign (2024): Scammers targeted U.S. consumers with fake UPS notifications claiming packages were held due to address issues or required additional fees. The campaign intensified during holiday periods.
5. FedEx Courier Scam in India (2024): A sophisticated multi-phase operation started with an SMS, escalated to calls from fake FedEx reps, and then to fake law enforcement claiming illegal items, demanding immediate payment to avoid arrest. Victims reported losses ranging from ₹25,000 to ₹500,000.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Unsolicited Texts: Messages received when no packages were expected.
2. Urgent Links: Messages contain urgent calls to action or links to click.
3. Spelling Errors: Presence of spelling errors or grammatical mistakes.
4. Unknown Numbers: Texts originate from unfamiliar or suspicious phone numbers.
5. Phishing Domains: Links point to URLs that do not match the official carrier domains.
6. No Order Match: The message tracking ID does not match any official order.
7. Demands for Fees: Unexpected demands for small fees (e.g., $1.99) to cover delivery or customs.
8. Spoofed Sender: The sender ID appears spoofed or generic.
9. Generic Greeting: Use of “Dear Customer” instead of personalized names.
10. Requests for PII: Requests for personal information, payment details, or passwords via text.

Business Warning Signs:

1. Complaint Spike: Sudden spike in customer complaints regarding fake delivery communications.
2. Fraud Alerts: Increased fraud alerts or chargebacks following a known smishing campaign targeting the brand.

Impact and Statistics

• Financial Impact: Americans lost $470 million to text scams in 2024, with fake delivery notifications being the largest category.
• Engagement Rate: Smishing campaigns typically achieve 15–25% click-through rates.
• Mobile Vulnerability: With 43% of e-commerce sales on mobile devices, mobile-first delivery scams have increased correspondingly.
• International Shipping: International orders see a 3.0% fraud rate compared to 2.6% for domestic orders, reflecting higher vulnerability.
• Victim Demographics: Adults aged 35–65 account for 52% of all fake delivery notification scam reports.

Perpetrators and Motivations

Perpetrators are typically international criminal networks or groups in Asia seeking quick data theft and financial gain. Modern operations employ advanced technology, including SMS spoofing services, professional web development tools, and automated victim targeting systems. The high volume, low-value nature of these scams allows criminals to generate substantial profits while operating below priority law enforcement thresholds.

Legal and Regulatory Aspects

• U.S. Laws: The Telephone Consumer Protection Act (TCPA) and wire fraud statutes apply.
• EU Laws: The ePrivacy Directive is relevant.
• Policy Updates (2025): There are mandates for enhanced SMS filtering and fraud alerts. The Indian government has launched comprehensive actions, collaborating with DoT to block spoof calls and fake websites.

Prevention and Mitigation Strategies

For Consumers:

1. Direct Verification: Always access carrier websites directly rather than clicking links in messages.
2. Tracking Management: Use official retailer apps or accounts for tracking.
3. Payment Awareness: Legitimate carriers never demand payment via gift cards or cryptocurrency.
4. PII Protection: Never provide personal details or passwords in response to delivery notifications.

For Businesses:

1. Customer Education: Proactively inform customers about legitimate communication methods.
2. Carrier Integration: Use integrated shipping systems that provide customers with verified tracking.
3. Operational Security: Partner with telecommunications providers to identify and block fraudulent messages.

Future Trends and Emerging Threats

Future threats include the use of deepfake voice calls to reinforce the scam and the leveraging of 5G-enabled mass smishing campaigns.

2. Package Intercept Scams

Package intercept scams involve a sophisticated form of extortion where criminals contact victims claiming that packages in their name have been intercepted by law enforcement agencies (e.g., customs, police) due to containing illegal items (drugs, contraband, fake documents). These scams exploit victims’ fear of legal consequences and their unfamiliarity with legitimate law enforcement procedures to extract money or personal information. The psychological manipulation often leads to what authorities term “digital arrest,” where victims are coerced into payments while being kept on video calls for hours.

How It Works (Step-by-Step Mechanism)

• Initial Contact and Intimidation: Scammers initiate contact through phone calls from spoofed numbers, claiming a package addressed to the victim has been intercepted. The initial call is designed to create immediate fear and urgency.
• Authority Impersonation: Fraudsters impersonate officials from various agencies (Customs and Border Protection, DEA, FBI, police, postal inspection services). They use official-sounding language, fake tracking numbers, forged official documents, and may even conduct video calls from locations staged to look like police stations.
• Escalation and Control: The interaction escalates by transferring victims to “supervisors” or “legal departments”. They maintain continuous contact to prevent victims from seeking outside advice or verification. In some sophisticated cases, the scammers may use stolen package tracking numbers and personal information to contact carriers and reroute high-value goods to alternate addresses, a variation known as package interception.
• Payment Extraction: Victims are told they can resolve the situation by paying “legal clearance charges,” “case dismissal fees,” or “bond money” to avoid immediate arrest. Payments are demanded through non-traceable methods like cryptocurrency, wire transfers, or gift cards.

Real-World Examples and Case Studies

1. Bengaluru Executive Loss (2023): A senior executive lost ₹1.2 crore ($144,000) to a sophisticated package intercept scam. The scam involved a caller claiming a package contained illegal drugs, transferring the victim to fake police officers who maintained him in “digital arrest” via video call for several hours.
2. International Customs Scam Network: A coordinated operation targeted professionals globally with claims that international packages contained illegal items, demanding payment to avoid regulatory action. A software engineer lost $85,000 after being convinced a package contained fake passports.
3. United States Package Interception Ring (2023): A criminal group in California used stolen identity information to intercept high-value electronics purchases. They tracked shipments using compromised carrier accounts and requested reroutes to vacant properties, successfully intercepting over $500,000 in merchandise.
4. Calls about Drugs (2022): BBB reports documented cases where victims received calls about packages containing illegal drugs.
5. COVID-19 PPE Scam Variation (2021): Scammers adapted the technique to target businesses, claiming ordered PPE shipments contained dangerous products and demanding “$5,000–$50,000” compliance fees to avoid regulatory action.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Threatening Calls: Unsolicited calls claiming law enforcement involvement.
2. Immediate Arrest Threats: Immediate threats of arrest or legal action.
3. Urgent Payment Demands: Demands for immediate payment (fines or bonds) to resolve the issue.
4. Payment Method: Requests for payment via cryptocurrency, gift cards, or wire transfers.
5. Secrecy: Instructions not to contact lawyers or family members.
6. Emotional Pressure: Use of emotional or high-pressure tactics.
7. Unverifiable Officials: Officials unwilling to provide proper identification or badge numbers.
8. Procedural Inconsistency: Law enforcement claiming to resolve serious legal cases through phone payments.
9. No Official Documentation: Lack of official documentation sent through proper channels.
10. Continuous Contact: Pressure to remain on the phone or video call for extended periods (“digital arrest”).

Business Warning Signs:

1. Redirect Requests: Suspicious requests for package redirection after an order is placed.
2. Mismatched Addresses: Differences between billing addresses and attempted delivery reroutes.

Impact and Statistics

• Financial Losses: These scams are part of the overall $1.3 billion in imposter losses. India estimates losses exceeding ₹100 crores annually.
• Vulnerable Groups: The elderly are often hit hard by imposter scams.
• Psychological Trauma: Victims often experience severe psychological trauma from prolonged intimidation and fear tactics.

Perpetrators and Motivations

These scams are operated by international criminal organizations and syndicates, particularly those utilizing professional call center operations in India and other countries. The motivation is high-profit extortion, leveraging fear and authority. They employ sophisticated technology, including voice-over-IP services for call spoofing and professional video conferencing setups.

Legal and Regulatory Aspects

• Criminal Penalties: Charges typically include impersonation of federal officers, extortion, wire fraud, identity theft, and money laundering.
• U.S. Statute: The federal Mail Fraud Statute is applicable.
• International Cooperation: Law enforcement agencies are increasing coordination to combat these transnational scams.

Prevention and Mitigation Strategies

For Consumers:

1. Verify Authority: Understand that legitimate law enforcement agencies never demand immediate payment to resolve cases or accept gift cards.
2. Direct Contact: Verify any claimed investigation by contacting the agencies directly using official, independently verified phone numbers.
3. Refuse Payment: Never provide personal information or make payments based solely on phone or video calls.

For Law Enforcement/Government Agencies:

1. Public Communication: Establish clear public communication about legitimate procedures for package interceptions.
2. Hotlines: Create dedicated hotlines for citizens to verify supposed investigations.
3. Coordination: Coordinate with international partners and telecommunications providers to disrupt operations.

Future Trends and Emerging Threats

The key future threat is the use of AI voice cloning to impersonate specific officials or individuals known to the victim, making the threats even more convincing.

3. Delivery Fee Scams

Delivery fee scams exploit consumers’ familiarity with legitimate shipping processes by creating false scenarios that supposedly require additional payments for problematic deliveries (e.g., customs, insufficient postage). The rise of e-commerce has normalized the concept of various shipping fees, making these fraudulent requests plausible. Unlike legitimate carriers that use established billing, these scams demand immediate payment through non-reversible methods. According to telecom fraud specialists, delivery fee scams have increased by 400% since 2020.

How It Works (Step-by-Step Mechanism)

Scenario Creation and Contact: Scammers create plausible delivery problems, such as packages being held due to insufficient postage, customs duties for international shipments, or insurance/security fees. They contact victims through multiple channels—SMS messages, phone calls, and official-looking emails—to reinforce credibility.

Payment Demands: The fraudsters direct victims to pay the fees through non-traceable methods:

• Cryptocurrency transactions.
• Gift card purchases.
• Wire transfers.
• Mobile payment apps.

Persistence and Escalation: Operations may escalate by threatening legal consequences for non-payment, offering “discounts” for immediate action, or threatening the return or destruction of packages if fees are not paid. Links in SMS messages often lead to fake sites built using smishing kits.

Real-World Examples and Case Studies

1. Seasonal Holiday Scam (2024): A coordinated campaign during peak holiday shopping targeted consumers expecting high volumes of packages. Scammers sent SMS messages claiming packages were held due to a “holiday surcharge” fee ($3.99–$24.99). Estimated losses exceeded $2.3 million across multiple countries.
2. COVID-19 Safety Fee Scam (2021): Scammers claimed additional “sanitization fees” were required for package delivery due to COVID-19 protocols ($5–$35 per fee), capitalizing on public health concerns and unfamiliarity with new procedures.
3. Premium Delivery Service Scam: This sophisticated operation targeted consumers who had ordered high-value items, claiming additional “premium security fees” were required. Scammers obtained information about legitimate orders (likely through data breaches) to reference specific products, generating over $1.8 million in fraudulent fees.
4. SMS Fees (2025): Memcyco reported SMS fee scams leading to losses of $1,000+.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Unexpected Fees: Unexpected requests for additional delivery fees.
2. Urgent Tones: Urgent language claiming packages will be returned or destroyed.
3. Payment Method: Payment requests through unusual methods (gift cards, crypto).
4. Spoofed Contact: Generic sender information or suspicious phone numbers/emails.
5. Fake Links: Links that do not lead to the official shipping company website.
6. Vague Issues: Vague explanations for the delivery problem.
7. No Official Channel: Lack of option to pay fees through official company billing systems.
8. High Fees: Fees significantly higher than typical shipping costs.
9. No Receipts: Failure to provide official receipts or confirmations.

Business Warning Signs:

1. Fraud Alerts: Increased fraud alerts reported by payment processors.
2. Unknown Charges: Customers reporting unknown charges related to delivery.
3. Repeat Contacts: Customers reporting repeat contacts regarding “delivery issues”.

Impact and Statistics

• Global Losses: Estimated global losses from delivery fee scams are over $300 million annually.
• Victim Demographics: Adults aged 25–55 represent 67% of victims.
• Seasonal Patterns: Activity spikes 300–400% during holiday shopping periods.
• Chargebacks: These scams contribute to the 18% dispute rate seen in e-commerce.

Perpetrators and Motivations

Perpetrators are usually organized criminal networks specializing in low-value, high-volume fraud, which allows them to process thousands of victims daily with minimal infrastructure. The motivation is consistent revenue generation under law enforcement radar. Modern operations utilize automated systems and sometimes artificial intelligence to personalize scam messages.

Legal and Regulatory Aspects

• Classification: These scams fall under wire fraud, mail fraud, and consumer protection violation statutes.
• Consumer Protection: Many jurisdictions have implemented specific regulations regarding unsolicited fee requests.
• Industry Response: Major shipping companies have established verification systems for consumers to confirm fee legitimacy.

Prevention and Mitigation Strategies

For Consumers:

1. Verification: Verify any unexpected fee requests through official shipping company websites or customer service.
2. Payment Channel: Use only official company payment channels for legitimate fees.
3. Skepticism: Be suspicious of urgent payment demands or threats.

For Shipping Companies:

1. Clear Policy: Implement clear communication policies about when and how additional fees are requested.
2. Education: Establish educational campaigns about common delivery fee scam tactics.

Future Trends and Emerging Threats

The primary future trend is the integration of these scams with instant payment fraud methods.

Other E-commerce Scams

Ticketing & Event Fraud

Ticketing and event fraud involves the sale of non-existent, counterfeit, or fraudulently obtained tickets for events such as concerts, sports, and festivals. This fraud type surges around events with high demand and limited availability. It has evolved from simple scalping to sophisticated operations using bot networks, artificial scarcity creation, and multi-platform marketing schemes. The magnitude of ticketing fraud has increased, with UK consumers losing £9.7 million to ticket fraud in 2024 a nearly 50% increase from the previous year.

How It Works (Step-by-Step Mechanism)

• Fake Inventory and Listings: Scammers create convincing listings on legitimate secondary ticket platforms or through fake box office websites. They use stolen images and details to create tickets they do not possess, often pricing them slightly below market rate.
• Digital Delivery Exploitation: E-tickets are easily forged and distributed; scammers provide realistic-looking PDF tickets that fail to scan at venues. Fraudsters often wait until the last moment to send tickets or provide excuses for digital delivery issues when verification is impossible.
• Platform Exploitation and Trust Building: Fraudsters target social media marketplaces (Facebook, Instagram) and classified sites. They use bot networks to create automated listings, utilize fake social media profiles with constructed histories, and employ manufactured urgency (claims of multiple buyers) to pressure victims.
• Payment Collection: Payment is collected through non-reversible methods like wire transfers, cryptocurrency, gift cards, or peer-to-peer payment apps.

Real-World Examples and Case Studies

1. Oasis Reunion Tour Scam (2024): This highly anticipated tour was targeted, resulting in over £2 million in losses to UK fans. Over 90% of the scams originated from fraudulent social media listings, with an average loss of £436 per victim.
2. Taylor Swift Era Tour Fraud Network (2023-2024): A coordinated international network created sophisticated fake ticketing websites that closely replicated official interfaces. The operation involved over 200 fake websites and social media accounts, generating an estimated $15 million in fraudulent sales.
3. Super Bowl LVIII Ticket Scam (2024): A complex operation around the Las Vegas event involved fake corporate hospitality packages and counterfeit tickets, with estimated total losses exceeding $8.5 million.
4. Festival Season Fraud Campaign (2024): A coordinated attack targeted major festivals (Glastonbury, Coachella), using networks of fake social media profiles to facilitate peer-to-peer sales and “seed” groups with fake success stories.
5. FTC Action (2025): The FTC took action against ticket resellers using illegal tactics to bypass ticket limit protections.

Signs and Red Flags (10+ for Consumers/Businesses)

Consumer Warning Signs:

1. Cheap Tickets: Prices significantly below face value or market rates.
2. Fake Sites: Websites with poor design, broken links, or missing security certificates.
3. Off-Platform Payments: Requests to move the transaction off the official platform.
4. Urgent Sales: Pressure tactics insisting on immediate purchase.
5. No Barcodes: Ticket images that appear generic or lack visible security features/barcodes.
6. Social Media Only: Sellers operating exclusively through social media direct messages or unverified groups.
7. No Refunds: A complete absence of a refund or guarantee policy.
8. Vague Details: Inconsistent event details or venue information.

Business Warning Signs:

1. Bot Buys: Sudden spikes in purchases from known bot networks targeting high-demand events.
2. Multiple Identical Listings: Multiple identical listings created by a single seller across different platforms.

Impact and Statistics

• Global Financial Impact: The global ticketing fraud market is estimated at $1.5 billion in annual losses.
• Fraud Distribution: Concert tickets account for 38% of all fraud reports in this category.
• Victim Demographics: Young adults aged 18–34 represent 58% of victims.
• Seasonal Patterns: Fraud spikes during summer festival season (May–September) and holiday concert periods.
• Recovery Rates: Recovery rates are extremely low, typically under 5%, as victims often only realize the fraud when attempting to enter the venue.

Perpetrators and Motivations

Perpetrators include highly organized networks using specialized roles: web developers for fake sites, social media specialists for marketing, and payment processors. They utilize bot networks for automated listing creation and artificial intelligence to generate convincing fake testimonials. The primary motivation is the high profit margin (often exceeding 90%) due to zero inventory costs.

Legal and Regulatory Aspects

• U.S. Law: The BOTS Act addresses the use of bots to bypass ticket limits. Wire fraud charges are common.
• EU Law: Consumer protection laws mandate disclosure of fees and verification requirements for resale platforms.
• International Enforcement: Law enforcement agencies are coordinating cross-border investigations, resulting in arrests and asset seizures.

Prevention and Mitigation Strategies

For Consumers:

1. Official Sources: Purchase tickets only from authorized primary sellers or verified resale platforms.
2. Protection: Use credit cards or protected payment methods that offer fraud coverage.
3. Verification: Request detailed photos of physical tickets and verify codes with official sources.

For Event Organizers/Platforms:

1. Anti-Bot Measures: Implement comprehensive anti-bot measures for initial sales.
2. Official Resale: Establish official resale channels with strong buyer protection.
3. Verification: Deploy advanced authentication methods (e.g., blockchain, QR codes) for tickets.

Future Trends and Emerging Threats

Future threats include fraud within VR event environments.

Synthesis Section

Overall Trends in E-commerce Scams

The e-commerce fraud landscape reflects several critical, interconnected trends driven by the post-pandemic acceleration of digital commerce. Consumer-reported fraud losses reached $12.5 billion in the U.S. in 2024, marking a 25% increase over the previous year.

1. Accelerating Sophistication (AI-Driven): There is a clear rise in sophistication, driven by AI. Artificial intelligence is being weaponized to create convincing fake stores, generate realistic product images, and produce deepfake customer reviews. The rapid growth of deepfake-related fraud (a 1,540% increase in the Asia-Pacific region between 2022 and 2023) signals a major shift toward AI-enabled deception.
2. Mobile-First Shift: Fraud tactics have migrated to mobile platforms, corresponding with the fact that 43% of all e-commerce sales now occur via mobile devices. This is evident in the rise of smishing (fake parcel notifications).
3. Cross-Border Complexity: Fraudsters increasingly exploit jurisdictional gaps and international enforcement challenges, complicating investigation and recovery efforts.
4. Targeting High-Value Assets: Certain sectors face disproportionate risk, with luxury goods and collectibles experiencing an over 100% growth in fraudulent activity, as fraudsters target high-value, easily resold merchandise.
5. Rise of Client-Side Attacks: Attacks like Formjacking (Magecart) remain highly effective, exploiting third-party dependencies and bypassing traditional perimeter security to capture data on the customer’s browser.

Comparative Analysis of Scam Types by Risk/Impact 

Scam Type	Risk Level (High/Med/Low)	Impact (Scale/Losses)	Detection Difficulty	Key Factor
Counterfeit Marketplaces (Fake Stores)	High	$4.2T projected by 2025 (Global Market Cost)	Medium	AI Reviews, Brand Impersonation
Advance Fee Scams (E-commerce)	Medium	$48B annual global losses (contributor)	High	Upfront Payments, Low Recovery Rate (<5%)
Fake Auction Sites	High	$300–$500M annual global loss (est.)	Medium	Shill Bidding, Bid Rigs
Formjacking (Web Skimming)	Very High	$28.1B projected by 2026 (Market Impact)	Very High	Code Injections, Client-Side Attack
Fake Parcel Delivery Notifications	Medium	$470M U.S. text losses (2024)	Medium-High	Smishing, Credential Theft
Package Intercept Scams	Medium	$200M+ U.S. annual loss (extortion)	Medium	Authority Impersonation, Threats
Delivery Fee Scams	Low	$300M annual global loss (est.)	Low	Extra Charges, High Volume
Ticketing & Event Fraud	High	$1.5B annual global loss (est.)	Medium	Fake Events, Emotional Urgency
Account Takeover	High	21% Merchant Concern	High	High Financial Impact
Triangulation Fraud	Low-Medium	High Financial Impact	Very High	Complex Fulfillment Chain

Risk level assessment synthesized from merchant concern and financial impact/detection difficulty.

5-7 Key Takeaways for Consumers/E-retailers/Policymakers

For Consumers:

1. Verification is Paramount: Always verify sellers through multiple independent sources before purchasing, particularly for high-value items. Use tools like reverse image search and WHOIS lookup to check domain registration dates.
2. Secure Payment Practices: Use credit cards and secure payment platforms (PayPal Goods & Services) rather than direct transfers, and enable two-factor authentication (MFA) where available. Be highly suspicious of payment requests via wire transfer, cryptocurrency, or gift cards.
3. Skepticism Toward Urgency: Be extremely suspicious of limited-time offers, urgent demands for action (e.g., immediate payment for a held package), or prices significantly below market value, as these are common psychological pressure tactics. Never click links in unexpected delivery notifications.

For E-retailers (Businesses): 

4. Layered Security Approach: Implement multiple complementary security measures, including AI-powered anomaly detection (e.g., Sift, Riskified), Address Verification Services (AVS), and device fingerprinting to protect against both payment fraud and account takeover. 

5. Client-Side Security Focus: Prioritize client-side security measures to prevent Formjacking, adhering to the enhanced requirements of PCI DSS 4.0 (2025) which mandate script management.

For Policymakers and Platforms: 

6. Standardized Verification & Accountability: Implement and enforce robust know-your-business (KYB) or know-your-customer (KYC) verification standards for all online merchants and high-volume sellers. Support policy updates like the INFORM Consumers Act. 

7. International Cooperation and Technology Investment: Develop robust cross-border enforcement mechanisms to address jurisdictional challenges posed by organized crime. Support research into AI-powered fraud detection and blockchain verification systems to address emerging threats like deepfakes and synthetic identities.

Data Gaps Noted in the Report: Specific financial loss data for certain categories (e.g., advance fee, fake auction sites) is often aggregated into broader “online shopping/non-delivery” reports by agencies like the FTC, making precise year-over-year tracking for niche fraud types challenging. Further research should focus on standardized fraud classification across market segments.

FAQs for E-commerce Scams

1. What are the most common types of e-commerce scams in 2025?

Common scams include counterfeit marketplaces, advance fee scams, fake auction sites, formjacking (web skimming), fake parcel delivery notifications, package intercept scams, delivery fee scams, and ticketing/event fraud.

2. How can consumers recognize fake online stores and marketplaces?

Look for signs such as too-low prices, lack of secure payment options, poor website quality, fake or stolen product images, absence of physical contact details, urgent purchase pressures, and suspicious domain registrations.

3. What is formjacking and how does it steal payment information?

Formjacking is a cyberattack injecting malicious code into legitimate e-commerce payment pages to capture sensitive payment details entered by customers before the form is submitted. It often exploits third-party scripts.

4. How do fake parcel delivery scams work and how to avoid them?

Fraudsters send smishing texts or calls pretending to be shipping companies, using fake tracking links leading to credential stealing or payment scams. Avoid clicking links in unsolicited messages and verify status on official carrier websites.

5. What are the most effective strategies for businesses to prevent e-commerce fraud?

Businesses should use AI-powered fraud detection tools, implement rigorous seller verification, prioritize client-side security (PCI DSS 4.0 compliance), educate consumers about scams, and coordinate with platforms and law enforcement for rapid fraud response.